Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

HS323 through an ASA

Posted on 2011-03-07
12
1,688 Views
Last Modified: 2012-08-14
I have a setup as follows

H323 v codec ----- Cisco 877 -----VPN-----(outside) Cisco ASA 5510 (inside) ------- H323 Gateway.

The problem is that the H323 video coded is not registering with the H323 gateway. Other codes which do not go through the firewall register with the Gateway ok.  The Routing, VPN and Connectivity between the two gateways is fine, they can talk to each other on any port on any protocol.

A packet capture on the 877 shows that the codec is sending out H323 register packets. With a show ipsec sa detail you can see the packets are being encrypted as this is currently the only traffic on the link. On the cisco ASA you can see the packets are being decrypted but then they vanish. A packet capture on the inside interface of the firewall shows no traffic from the video codec.

Full debugging on both the ASA and 877 does not show any errors. I have tried having both inspect option hs323 turned on and off for the ASA on the .

Anyone got any ideas on why this traffic would be blocked?



 
0
Comment
Question by:question01
  • 7
  • 3
  • 2
12 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35062022
0
 
LVL 20

Expert Comment

by:netcmh
ID: 35062078
policy-map global_policy
 class inspection_default
  inspect h323
  inspect sip

Would be all that's required, I think.
0
 
LVL 1

Author Comment

by:question01
ID: 35062124
Yes I have tried it with the following config and without.  

policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
 
Makes no difference.

Does the global_policy definatly apply to traffic coming out of a VPN?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Author Comment

by:question01
ID: 35062131
Why would I need SIP?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35062180
did you applied the policy the outside interface?
what shows the logs?
0
 
LVL 1

Author Comment

by:question01
ID: 35062297
the global_policy applies to all traffic by default doesn't it?

The only log from the ASA which mentions the codec is

Tear-down local-host outside:10.x.x.x duration: 00:00:00

The 10.x.x.x is the codec. This logs gets created every 10 seconds or so with the duration at 00:00:00
0
 
LVL 1

Author Comment

by:question01
ID: 35062604
Canberra-ASA# show service-policy inspect h323 h225

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
        h245-tunnel-block drops 0 connection

Interface outside:
  Service-policy: pmap
    Class-map: cmap
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
        h245-tunnel-block drops 0 connection
Canberra-ASA# show service-policy inspect h323 ras

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
        h245-tunnel-block drops 0 connection

Interface outside:
  Service-policy: pmap
    Class-map: cmap
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
        h245-tunnel-block drops 0 connection
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35066334
it shows that the inspection not recognized the h323 packets...
0
 
LVL 1

Author Comment

by:question01
ID: 35075006
yes it looks that way. So why would it not be inspecting the h323 packets?

does the global policy apply to traffic coming out of a vpn?

0
 
LVL 1

Accepted Solution

by:
question01 earned 0 total points
ID: 35089993
After a reboot of the firewall problem is resolved. Not sure what was causing the problem but the VPN was playing up with some strange errors.

0
 
LVL 1

Author Closing Comment

by:question01
ID: 35126460
reboot fixed it.
0
 
LVL 20

Expert Comment

by:netcmh
ID: 35129291
glad you got that resolved.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 5508 WLC software upgrade 2 71
Cisco 3650 switch 7 45
Windows Server to Cisco switch connectivity 10 73
snmp v2 configuration on a switch 3 16
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
I recently purchased a Bluetooth headset called the Music Jogger (model BSH10). The control buttons on it look like this: One of my goals is to use it as the microphone and speakers for Skype calls. In that respect, it works well. However, I …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question